---
id: http-api
sidebar_label: HTTP API
title: Rasa HTTP API
description: Read about Rasa's HTTP API that has endpoints for conversations, training models, and configuring your bot.
abstract: You can use the HTTP API to interact with a running Rasa server. With the API, you can train models,
  send messages, run tests, and more.
---

:::tip Looking for API endpoints? 
Check out the [API Spec](/pages/http-api) for all of the available endpoints as well as their request and response formats.

:::

## Enabling the HTTP API

By default, running a Rasa server does not enable the API endpoints. Interactions
with the bot can happen over the exposed `webhooks/<channel>/webhook` endpoints.

To enable the API for direct interaction with conversation trackers and other
bot endpoints, add the `--enable-api` parameter to your run command:

```bash
rasa run --enable-api
```

Note that you start the server with an NLU-only model, not all the available endpoints
can be called. Some endpoints will return a 409 status code, as a trained
dialogue model is needed to process the request.


:::caution
Make sure to secure your server, either by restricting access to the server (e.g. using firewalls), or
by enabling an authentication method. See [Security Considerations](./http-api.mdx#security-considerations).

:::

By default, the HTTP server runs as a single process. You can change the number
of worker processes using the `SANIC_WORKERS` environment variable. It is
recommended that you set the number of workers to the number of available CPU cores
(check out the
[Sanic docs](https://sanicframework.org/en/guide/deployment/running.html#workers)
for more details). This will only work in combination with the
`RedisLockStore` (see [Lock Stores](./lock-stores.mdx).

:::caution
The [SocketIO channel](./connectors/your-own-website.mdx#websocket-channel) does not support multiple worker processes. 

:::

## Security Considerations

We recommend that you don't expose the Rasa Server to the outside world directly, but
rather connect to it via e.g. Nginx.

Nevertheless, there are two authentication methods built in:

### Token Based Auth

To use a plaintext token to secure your server, specify the token in the argument `--auth-token thisismysecret` when starting
the server:

```bash
rasa run \
    --enable-api \
    --auth-token thisismysecret
```

You can also use environment variable `AUTH_TOKEN` to set the auth token:
```
AUTH_TOKEN=thisismysecret
```

:::tip Security best practice

We recommend that you use environment variables to store
and share sensitive information such as tokens and secrets
when deploying Rasa as Docker container as they will not be stored in your shell history.
:::

Any clients sending requests to the server must pass the token
as a query parameter, or the request will be rejected. For example, to fetch a tracker from the server:

```bash
curl -XGET localhost:5005/conversations/default/tracker?token=thisismysecret
```

### JWT Based Auth

To use JWT based authentication, specify the JWT secret in the argument `--jwt-secret thisismysecret`
on startup of the server:


```bash
rasa run \
    --enable-api \
    --jwt-secret thisismysecret
```

You can also use environment variable `JWT_SECRET` to set the JWT secret:
```
JWT_SECRET=thisismysecret
```

:::tip Security best practice

We recommend that you use environment variables to store
and share sensitive information such as tokens and secrets
when deploying Rasa as Docker container as they will not be stored in your shell history.
:::

If you want to sign a JWT token with asymmetric algorithms, you can specify the JWT private key to the `--jwt-private-key`
CLI argument. You must pass the public key to the `--jwt-secret` argument, and also specify the algorithm to the
`--jwt-method` argument:

```bash
rasa run \
    --enable-api \
    --jwt-secret <public_key> \
    --jwt-private-key <private_key> \
    --jwt-method RS512
```

You can also use environment variables to configure JWT:
```
JWT_SECRET=<public_key>
JWT_PRIVATE_KEY=<private_key>
JWT_METHOD=RS512
```

:::tip Security best practice

We recommend that you use environment variables to store
and share sensitive information such as tokens and secrets
when deploying Rasa as Docker container as they will not be stored in your shell history.
:::

Client requests to the server will need to contain a valid JWT token in
the `Authorization` header that is signed using this secret
and the `HS256` algorithm e.g.

```text
"Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ"
                 "zdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIi"
                 "wiaWF0IjoxNTE2MjM5MDIyfQ.qdrr2_a7Sd80gmCWjnDomO"
                 "Gl8eZFVfKXA6jhncgRn-I"
```

The token's payload must contain an object under the `user` key,
which in turn must contain the `username` and `role` attributes.
The following is an example payload for a JWT token:

```json
{
    "user": {
        "username": "<sender_id>",
        "role": "user"
    }
}
```

If the `role` is `admin`, all endpoints are accessible.
If the `role` is `user`, endpoints with a `sender_id` parameter are only accessible
if the `sender_id` matches the payload's `username` property.

```bash
rasa run \
    -m models \
    --enable-api \
    --jwt-secret thisismysecret
```

To create and encode the token, you can use tools such as the [JWT Debugger](https://jwt.io/), or a Python module such as [PyJWT](https://pyjwt.readthedocs.io/en/latest/).

